// Module included in the following assemblies: // // * security/security_profiles_operator/spo-selinux.adoc :_mod-docs-content-type: PROCEDURE [id="spo-replicating-controllers_{context}"] = Replicating controllers and SecurityContextConstraints When you deploy SELinux policies for replicating controllers, such as deployments or daemon sets, note that the `Pod` objects spawned by the controllers are not running with the identity of the user who creates the workload. Unless a `ServiceAccount` is selected, the pods might revert to using a restricted `SecurityContextConstraints` (SCC) which does not allow use of custom security policies. .Procedure . Create a project by running the following command: + [source,terminal] ---- $ oc new-project nginx-secure ---- . Create the following `RoleBinding` object to allow SELinux policies to be used in the `nginx-secure` namespace: + [source,yaml] ---- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spo-nginx namespace: nginx-secure subjects: - kind: ServiceAccount name: spo-deploy-test roleRef: kind: Role name: spo-nginx apiGroup: rbac.authorization.k8s.io ---- . Create the `Role` object: + [source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: spo-nginx namespace: nginx-secure rules: - apiGroups: - security.openshift.io resources: - securitycontextconstraints resourceNames: - privileged verbs: - use ---- . Create the `ServiceAccount` object: + [source,yaml] ---- apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: spo-deploy-test namespace: nginx-secure ---- . Create the `Deployment` object: + [source,yaml] ---- apiVersion: apps/v1 kind: Deployment metadata: name: selinux-test namespace: nginx-secure metadata: labels: app: selinux-test spec: replicas: 3 selector: matchLabels: app: selinux-test template: metadata: labels: app: selinux-test spec: serviceAccountName: spo-deploy-test securityContext: seLinuxOptions: type: nginx-secure_nginx-secure.process <1> containers: - name: nginx-unpriv image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 ports: - containerPort: 8080 ---- <1> The `.seLinuxOptions.type` must exist before the Deployment is created. + [NOTE] ==== The SELinux type is not specified in the workload and is handled by the SCC. When the pods are created by the deployment and the `ReplicaSet`, the pods will run with the appropriate profile. ==== Ensure that your SCC is usable by only the correct service account. Refer to _Additional resources_ for more information.